diff options
| -rw-r--r-- | etc/defaults/rc.conf | 4 | ||||
| -rw-r--r-- | etc/network.subr | 12 | ||||
| -rw-r--r-- | etc/rc.d/netoptions | 12 | ||||
| -rw-r--r-- | etc/rc.d/network1 | 12 | ||||
| -rw-r--r-- | etc/rc.d/network2 | 12 | ||||
| -rw-r--r-- | etc/rc.d/network3 | 12 | ||||
| -rw-r--r-- | etc/rc.d/routing | 12 | ||||
| -rw-r--r-- | etc/rc.network | 12 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 31 |
9 files changed, 108 insertions, 11 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index ab8e8b39a9d3..e80b0e85e286 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -9,7 +9,7 @@ # # All arguments must be in double or single quotes. # -# $Id: rc.conf,v 1.23 1999/07/26 10:49:33 brian Exp $ +# $Id: rc.conf,v 1.24 1999/08/03 10:11:02 eivind Exp $ ############################################################## ### Important initial Boot-time options #################### @@ -48,6 +48,8 @@ natd_flags="" # Additional flags for natd. tcp_extensions="NO" # Set to Yes to turn on RFC1323 extensions. log_in_vain="NO" # Disallow bad connection logging (or YES). tcp_keepalive="YES" # Kill dead TCP connections (or NO). +icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets +icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets network_interfaces="auto" # List of network interfaces (or "auto"). ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. #ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias entry. diff --git a/etc/network.subr b/etc/network.subr index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/etc/rc.d/routing b/etc/rc.d/routing index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/etc/rc.network b/etc/rc.network index 946e66cbdb51..ba40c16099f2 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -1,6 +1,6 @@ #!/bin/sh - # -# $Id: rc.network,v 1.51 1999/07/26 10:49:31 brian Exp $ +# $Id: rc.network,v 1.52 1999/07/26 15:17:23 brian Exp $ # From: @(#)netstart 5.9 (Berkeley) 3/30/91 # Note that almost all the user-configurable behavior is no longer in @@ -197,6 +197,16 @@ network_pass1() { echo -n ' broadcast ping responses=YES' sysctl -w net.inet.icmp.bmcastecho=1 >/dev/null fi + + if [ "X$icmp_drop_redirect" = X"YES" ]; then + echo -n ' ignore ICMP redirect=YES' + sysctl -w net.inet.icmp.drop_redirect=1 >/dev/null + fi + + if [ "X$icmp_log_redirect" = X"YES" ]; then + echo -n ' log ICMP redirect=YES' + sysctl -w net.inet.icmp.log_redirect=1 >/dev/null + fi if [ "X$gateway_enable" = X"YES" ]; then echo -n ' IP gateway=YES' diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index d82d1d6e8002..5a5abc4689e3 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)ip_icmp.c 8.2 (Berkeley) 1/4/94 - * $Id: ip_icmp.c,v 1.33 1998/12/04 04:21:25 dillon Exp $ + * $Id: ip_icmp.c,v 1.34 1999/03/06 23:10:42 archie Exp $ */ #include <sys/param.h> @@ -69,6 +69,14 @@ static int icmpmaskrepl = 0; SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); +static int log_redirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, log_redirect, CTLFLAG_RW, + &log_redirect, 0, ""); + +static int drop_redirect = 0; +SYSCTL_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, + &drop_redirect, 0, ""); + #ifdef ICMP_BANDLIM /* @@ -92,8 +100,8 @@ SYSCTL_INT(_net_inet_icmp, ICMPCTL_ICMPLIM, icmplim, CTLFLAG_RD, */ static int icmpbmcastecho = 0; -SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, - 0, ""); +SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, + &icmpbmcastecho, 0, ""); #ifdef ICMPPRINTFS @@ -462,6 +470,23 @@ reflect: return; case ICMP_REDIRECT: + if (log_redirect) { + u_long src, dst, gw; + + src = ntohl(ip->ip_src.s_addr); + dst = ntohl(icp->icmp_ip.ip_dst.s_addr); + gw = ntohl(icp->icmp_gwaddr.s_addr); + printf("icmp redirect from %d.%d.%d.%d: " + "%d.%d.%d.%d => %d.%d.%d.%d\n", + (int)(src >> 24), (int)((src >> 16) & 0xff), + (int)((src >> 8) & 0xff), (int)(src & 0xff), + (int)(dst >> 24), (int)((dst >> 16) & 0xff), + (int)((dst >> 8) & 0xff), (int)(dst & 0xff), + (int)(gw >> 24), (int)((gw >> 16) & 0xff), + (int)((gw >> 8) & 0xff), (int)(gw & 0xff)); + } + if (drop_redirect) + break; if (code > 3) goto badcode; if (icmplen < ICMP_ADVLENMIN || icmplen < ICMP_ADVLEN(icp) || |